replace taint tracking by type tracking and merge remaining queries for CWE-830

javascript/ql/test/query-tests/Security/CWE-830/DynamicCreationOfUntrustedSourceUse.expected

@@ -1,20 +0,0 @@
-nodes
-| DynamicCreationOfUntrustedSourceUse.html:8:27:8:97 | ('https ... //www') |
-| DynamicCreationOfUntrustedSourceUse.html:8:27:8:118 | ('https ... /ga.js' |
-| DynamicCreationOfUntrustedSourceUse.html:8:27:8:118 | ('https ... /ga.js' |
-| DynamicCreationOfUntrustedSourceUse.html:8:28:8:96 | 'https: ... ://www' |
-| DynamicCreationOfUntrustedSourceUse.html:8:85:8:96 | 'http://www' |
-| DynamicCreationOfUntrustedSourceUse.html:8:85:8:96 | 'http://www' |
-| DynamicCreationOfUntrustedSourceUse.html:18:26:18:50 | 'http:/ ... e.com/' |
-| DynamicCreationOfUntrustedSourceUse.html:18:26:18:50 | 'http:/ ... e.com/' |
-| DynamicCreationOfUntrustedSourceUse.html:18:26:18:50 | 'http:/ ... e.com/' |
-edges
-| DynamicCreationOfUntrustedSourceUse.html:8:27:8:97 | ('https ... //www') | DynamicCreationOfUntrustedSourceUse.html:8:27:8:118 | ('https ... /ga.js' |
-| DynamicCreationOfUntrustedSourceUse.html:8:27:8:97 | ('https ... //www') | DynamicCreationOfUntrustedSourceUse.html:8:27:8:118 | ('https ... /ga.js' |
-| DynamicCreationOfUntrustedSourceUse.html:8:28:8:96 | 'https: ... ://www' | DynamicCreationOfUntrustedSourceUse.html:8:27:8:97 | ('https ... //www') |
-| DynamicCreationOfUntrustedSourceUse.html:8:85:8:96 | 'http://www' | DynamicCreationOfUntrustedSourceUse.html:8:28:8:96 | 'https: ... ://www' |
-| DynamicCreationOfUntrustedSourceUse.html:8:85:8:96 | 'http://www' | DynamicCreationOfUntrustedSourceUse.html:8:28:8:96 | 'https: ... ://www' |
-| DynamicCreationOfUntrustedSourceUse.html:18:26:18:50 | 'http:/ ... e.com/' | DynamicCreationOfUntrustedSourceUse.html:18:26:18:50 | 'http:/ ... e.com/' |
-#select
-| DynamicCreationOfUntrustedSourceUse.html:8:27:8:118 | ('https ... /ga.js' | DynamicCreationOfUntrustedSourceUse.html:8:85:8:96 | 'http://www' | DynamicCreationOfUntrustedSourceUse.html:8:27:8:118 | ('https ... /ga.js' | Illegal flow from $@. | DynamicCreationOfUntrustedSourceUse.html:8:85:8:96 | 'http://www' | here |
-| DynamicCreationOfUntrustedSourceUse.html:18:26:18:50 | 'http:/ ... e.com/' | DynamicCreationOfUntrustedSourceUse.html:18:26:18:50 | 'http:/ ... e.com/' | DynamicCreationOfUntrustedSourceUse.html:18:26:18:50 | 'http:/ ... e.com/' | Illegal flow from $@. | DynamicCreationOfUntrustedSourceUse.html:18:26:18:50 | 'http:/ ... e.com/' | here |

javascript/ql/test/query-tests/Security/CWE-830/DynamicCreationOfUntrustedSourceUse.html

@@ -2,7 +2,7 @@
     <head>
         <script type="text/javascript">
             (function() {
-              // NOT OK (no integrity attribute)
+              // OK (we accept this, as a http document location is vulnerable anyway)
               var scrpt = document.createElement('script');
               scrpt.type = 'text/javascript';
               scrpt.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.cdn.local/ga.js';
@@ -10,7 +10,7 @@
               // OK (integrity digest present)
               var scrpt2 = document.createElement('script');
               scrpt2.type = 'text/javascript';
-              scrpt2.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.cdn.local/ga.js';
+              scrpt2.src = 'http://www.cdn.local/ga.js';
               scrpt2.integrity = 'sha256-h0UuK3mE9taiYlB5u9vT9A0s/XDgkfVd+F4VhN/sky=';
 
               // NOT OK (http URL)
@@ -20,6 +20,13 @@
               // OK (https URL)
               var ifrm2 = document.createElement('iframe');
               ifrm2.src = 'https://www.example.com/';
+
+              // NOT OK (http URL tracked through calls)
+              function getUrl(version) {
+                return 'http://www.cdn.local/'+version+'/ga.js';
+              }
+              var ifrm3 = document.createElement('iframe');
+              ifrm3.src = getUrl('v123');
             })();
           </script>
     </head>

javascript/ql/test/query-tests/Security/CWE-830/DynamicCreationOfUntrustedSourceUse.qlref

@@ -1 +0,0 @@
-Security/CWE-830/DynamicCreationOfUntrustedSourceUse.ql

javascript/ql/test/query-tests/Security/CWE-830/FunctionalityFromUntrustedSource.expected

@@ -1,4 +1,5 @@
-| FunctionalityFromUntrustedSource.html:6:9:6:56 | <script>...</> | HTML-element uses untrusted content (script elements should use an HTTPS url and/or use the integrity attribute) |
-| FunctionalityFromUntrustedSource.html:9:9:9:58 | <iframe>...</> | HTML-element uses untrusted content (iframe elements should use an HTTPS url) |
-| FunctionalityFromUntrustedSource.html:11:9:11:53 | <iframe>...</> | HTML-element uses untrusted content (iframe elements should use an HTTPS url) |
-| FunctionalityFromUntrustedSource.html:20:9:20:155 | <script>...</> | HTML-element uses untrusted content (script elements that depend on this CDN should use an HTTPS url and use the integrity attribute) |
+| DynamicCreationOfUntrustedSourceUse.html:18:26:18:50 | 'http:/ ... e.com/' | HTML-element uses untrusted content (iframe elements should use an HTTPS url) |
+| DynamicCreationOfUntrustedSourceUse.html:29:27:29:40 | getUrl('v123') | HTML-element uses untrusted content (iframe elements should use an HTTPS url) |
+| StaticCreationOfUntrustedSourceUse.html:6:9:6:56 | <script>...</> | HTML-element uses untrusted content (script elements should use an HTTPS url and/or use the integrity attribute) |
+| StaticCreationOfUntrustedSourceUse.html:9:9:9:58 | <iframe>...</> | HTML-element uses untrusted content (iframe elements should use an HTTPS url) |
+| StaticCreationOfUntrustedSourceUse.html:21:9:21:155 | <script>...</> | HTML-element uses untrusted content (script elements that depend on this CDN should use an HTTPS url and use the integrity attribute) |

javascript/ql/test/query-tests/Security/CWE-830/FunctionalityFromUntrustedSource.html

@@ -1,22 +0,0 @@
-<!DOCTYPE html>
-<html>
-    <head>
-    </head>
-    <body>
-        <script src="http://test.local/foo.js"></script>> <!-- NOT OK -->
-        <script src="http://test.local/foo.js" integrity="some-integrity-hash"></script>>  <!-- OK (integrity digest present) -->
-        <script src="https://test.local/bar.js"></script>> <!-- OK (https) -->
-        <iframe src="http://test.local/foo.html"></iframe> <!-- NOT OK -->
-        <iframe src="https://test.local/foo.html"></iframe> <!-- OK (https) -->
-        <iframe src="//test.local/foo.html"></iframe> <!-- NOT OK (protocol-relative url) -->
-        <iframe src="http://::1/foo.html"></iframe> <!-- OK (localhost) -->
-        <iframe src="http://[::1]:80/foo.html"></iframe> <!-- OK (localhost) -->
-        <iframe src="http://127.0.0.1:444/foo.html"></iframe> <!-- OK (localhost) -->
-
-        <!-- Some CDNs recommend using the integrity attribute — for those, we demand it even with https links -->
-        <!-- OK (digest present) -->
-        <script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.2/angular.min.js" integrity="sha512-7oYXeK0OxTFxndh0erL8FsjGvrl2VMDor6fVqzlLGfwOQQqTbYsGPv4ZZ15QHfSk80doyaM0ZJdvkyDcVO7KFA==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
-        <!-- NOT OK (digest missing) -->
-        <script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.2/angular.min.js" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
-    </body>
-</html>